MikroTik software, RouterOS, has multiple interfaces. One is Telnet, another is a Windows application, WinBox 3.0. A demo of the web UI is at demo.mt.lv. Its v6.38 as of Jan. 2017. You can also download an ISO for free, burn it to a CD, boot from the CD and run RouterOS for 24 hours.

Since many router owners do not update the firmware, a router that self-updates is, almost always, a good thing. Not that it doesn't leave other problems, but one less is one less. This list is, no doubt, incomplete. And, the view that self-updating is always good is overly simplistic. The Security Checklist page has the details on what to look for. The Routers with Self Updating Firmware page has details on how some vendors compare to this checklist.

Google Wifi and their previous OnHub line. Beware though, Google Wifi likes to reboot itself in the middle of the afternoon.

The Turris Omnia is fully open source, both the hardware and software. They maintain a change log so you can verify that the automatic updates are being installed. As of June 2018, it was available all over Europe and is expected to be approved by the FCC for sale in the US by Oct. 2018. I have a page devoted to the Turris Omnia router.

Both Synology routers are probably king of this hill. I say probably because I have not used them personally, but a demo indicated they update like Synology NAS
devices. The first was the RT1900ac. The second, released Dec. 2016, is the RT2600ac. Synology claims "SRM can automatically perform upgrades on a schedule for maximum convenience." Release notes for the RT1900ac and RT2600ac are reasonably detailed.

Based on my reading, the Linksys EA7500, EA8500 and EA6900 can update their firmware automatically. So too can the Linksys WRT1900ACS according to page 67 of its manual. In addition, I am told by someone at Linksys that all of their "Smart-Wifi" branded routers can self-update. These devices usually have model numbers starting with EA or WRT.

FRITZ!Box home routers, popular in Germany and Australia, can not only self-update but they (or the ISP or the manufacturer, its not clear) can send email notification of newly updated firmware.

Avira Safe Things is router firmware. Its website says: "It will constantly be up to date. Avira SafeThings™ is self-updatable, and it always benefits from last-minute threat protection techniques from the SafeThings Protection Cloud."

According to Gryphon their Software and Protection updates occur automatically. Gryphon routers were first shipped in Feb. 2018.

Untangle, which is high end router software, can self-update

According to this article the Motorola devices used by AT&T UVERSE automatically update whenever the AT&T management platform rolls out an upgrade.

As of April 2018, The Mercku M2 mesh router system is on Indiegogo and its expected to ship in July 2018. This article about it says "Updates are made automatically over the air to keep the M2 up to date in both its features and security" but the Indiegogo page says nothing about self-updating.

According to a Feb. 2018 article, someone from Netgear claimed that from 2017 onward, Netgear routers have had the automatic update function built in. The Netgear R6400 router can self-update. This was a new feature added around May 2018, give or take. The Netgear Orbi mesh router system does not self-update. In Nov. 2017, I reviewed the Orbi WiFi System User Manual dated March 2017. The manual is full of instructions for manually updating firmware and says nothing about automatic self updating. The manual was updated in Sept. 2018 and it still says nothing about automatic firmware updates.

pfSense is recommended by many, but I have no personal experience with it. The software, based on FreeBSD, can be
downloaded for free and installed on an old computer as long as it has two Ethernet adapters. It is also sold as hardware appliance. The cheapest model, the
SG-2220 is $299 without Wi-Fi and with a single LAN side Ethernet port (so you have to add your own
switch. On the Oct. 20, 2015 episode of the Security Now podcast Steve Gibson, a pfSense user, described why he
likes it: there are lots of features, very flexible NAT translation including dynamic mapping, great flow control, and it includes both an OpenVPN client and server. He
used a box from SOEKRIS to build his. On a later podcast, Gibson also recommended pcengines.ch for buying hardware that supports pdSense. See also
You
should be running a pfSense firewall in InfoWorld Dec. 2014.

MikroTik routers have been recommended by techies. I have no experience with them. They run a Linux system
called RouterOS which is available for free and runs on many computers. They offer a number of routers for under $100 but the majority of their line is high end. Their hardware is sold at routerboard.com. The $50 MicroTik RB750GR3 hEX Router was reviewed by Doug Reid at SmallNetBuilder September 25, 2017. He found it a very powerful, cheap router that may drive you crazy trying to configure it.

Ubiquiti Networks normally deals with techies, but in May 2016 they announced a new line, AmpliFi, targeted at consumers. The
first AmpliFi product is a router
sold with two pre-matched Wi-Fi extenders (not a mesh). It is expected to ship in the summer of 2016. There will be three models, priced at $200, $300 and $350. No idea yet about router security but at least the company has a long history making router firmware. It will allow a single guest network with a maximum number of guests, each of which can be time limited. First look.

Ubiquiti has a whole line of Edge Routers and the bottom-of-the-line model, the EdgeRouterX sells for only $50. It doesn't do Wi-Fi. The User Guide is online. Steve Gibson raved about it on his
Security Now podcast in July 2016. It can function as a PPTP VPN server and supports IPsec VPNs for site-to-site use. Setting up an OpenVPN server requires the command line.

While I have no personal experience with it, many have also spoken highly of the Ubiquiti EdgeRouter Lite that sells for about $100. It has a console port and three Ethernet ports, none of
which are dedicated. It does not do WiFi. The user interface may be too difficult for anyone that is not a networking techie. Some have said that the documentation is almost non-existent. Doug Reid reviewed it in June 2017 for SmallNetBuilder.com and warned that: the GUI is still a work in progress, it is not plug and play, tech support is only available from a community forum and QoS kills the performance. On the upside, it is highly configurable, if you know what you're doing.

I have no personal experience with DrayTek but they seem to be a business class vendor and I have heard good things about them (second hand). Their routers, however, are barely available in the US. As of June 2018, I saw the Vigor-2925n for $260, the Vigor 2926n for $250 (dual WAN, /Wi-Fi only 2.4GHz), the Vigor 2926ac for $300 (Dual-WAN, Wi-Fi ac). Cheaper was the
Vigor 2912 for $115 (no Wi-Fi, Dual WAN, can connect a 4G modem to the USB port as backup net access). See a demo of the web interface for the Vigor 2926 series.

DNSthingy is a service ($8/month as of July 2017) for controlling everything about DNS for devices on a LAN. Parental control on steroids, if you will, with adblocking thrown in too. For Asus routers, it is customized firmware with the addition of the DNSthingy service. Or, they will sell you a few Asus routers with their firmware pre-installed. For pfSense, it installs as a service. Or, they will sell you a pfSense box with their service pre-installed. clearOS is also supported. For their Asus firmware, my big question would be if they mirror Asus bug fixes into their firmware. Are they trustworthy? I have no experience with it, but their FAQ says "DNSthingy provides all of the security of a VPN connection" which is clearly not true. Their site offers no details about the company offering the service.

Cradlepoint makes business routers and they have a couple low end models priced around $200 or so. They seem to specialize
in 3G/4G Internet access. The specs of one router say it supports WiFi as WAN but
someone at Amazon said they do not support it.
I have been very successful with WiFi as WAN on my Pepwave Surf SOHO when my wired Internet access failed, so I consider it an important feature.
The cost of tech support is also a concern. I have no first-hand experience with this but people at Amazon have said that you have to pay for tech
support even with a new router (here and
here)
The Cradlepoint website does not show the cost of tech support.
According to 3G Store its about $28/year for their
consumer routers.

Security Router from Halon Security is based on OpenBSD, with the main differentiator being the single, revision-managed, clear-text configuration file with soft re-configuration and documented security architecture. It competes with Cisco IOS and Juniper Junos. Its free and runs from a USB flash drive or as a virtual machine.

While I suggest stepping up from consumer routers, you can step too high. Examples of this would be either a device or software billed as UTM (Unified
Threat Management) or NGF (Next Generation Firewall). Sophos offer NGF both as a hardware device and a software download. For their explanation of
what it does see Firewall for dummies
- or, what do we mean by a next-generation firewall?. CheckPoint, Sonicwall, Fortinet and Watchguard offer UTM devices. Both UTM and NGF do a lot, require a techie to setup and maintain, are expensive to buy and require ongoing paid software maintenance.

Jim Salter, writing for Ars Technica, argued in Jan. 2016 that you should build your own router, assuming you are very familiar with Linux and iptables. In April 2016, he followed this up: The Ars guide to building a Linux
router from scratch. In June 2016, he pointed out the limitations:
"... setting up your own router from a generic server distro isn't a project for everyone. It certainly isn't user-friendly, both during the build process and once it's finished ... it's definitely arcane, with absolutely no hand holding along the way. If you aren't already very experienced with Linux, you'll likely do a lot of puzzled head scratching (and maybe a little cursing). You won't get a super feature-rich build once you're done, either ... you won't have fancy quality of service features, usage graphs, or much of anything else...".

SmallWall bills itself as a small and lean firewall. It is an outgrowth of m0n0wall, its based on FreeBSD and runs on low end
x86 hardware. You can download it for free (the ISO is only 23MB) or buy it pre-installed in a box for as low as $250. At that price, Wi-Fi is not included, but a supported Wi-Fi card can be
installed into the box.

IPFire is an Open Source Linux Firewall available both as software only or as a hardware appliance.
IPFire was designed to be modular an flexible. The primary objective of IPFire is security. Updates are digitally signed and encrypted and can be automatically installed by Pakfire. Users are notified by mail of updates. IPFire is not based on any other Linux distribution, it is compiled from the sources of every included package.

Just for the sake of completeness, I mention the BSD Router Project. BSDRP is only available as software. It is
a free open source router distribution based on FreeBSD with Quagga and Bird. The main goal of BSDRP is not firewalling but routing. If you are looking for
a firewall, or for sharing Internet access, the developers of BSDRP suggest m0n0wall or pfSense instead. BSDRP does not have a Web interface,
it is configured from a command line. BSDRP is not intended for home use.

Another UTM version of Linux is ClearOS. The website says "ClearOS is an operating system for your Server, Network, and Gateway systems. It is designed for homes, small to medium businesses, and distributed environments. ClearOS is commonly known as the Next Generation Small Business Server, while including indispensable Gateway and Networking functionality." There is a free community edition, a rented home edition,
a rented Business edition and a virtual version. It is also available on hardware devices starting at $1,200 without WiFi.

Slightly off topic are the Xclaim access points from Ruckus Wireless. I say off-topic because they are not
routers, just access points (they have a single Ethernet port). That said, if you need great WiFi, Ruckus should be on the short list. I have owned a Ruckus
router (don't think they make routers any more) and was impressed with its WiFi. Introduced in November 2014, Xclaim is a new product line for Ruckus.
It's their cheapest line. For $90 you get a single band N device, concurrent dual-band N is $200 (see a review).
Stepping up to ac WiFi (see a review)
costs $250. They are configured either via the cloud or a smartphone app, there is no web interface.

One way to avoid consumer router firmware is to install alternate, third-party firmware.

myopenrouter.com is devoted to open source router firmware on Netgear devices. According to Jim Salter, writing in
Ars Technica in May 2017: "Netgear directly runs myopenrouter.com, where they actually collaborate with open source developers who are adapting builds of open source firmware for installation on Netgear routers. This is extremely cool, not least because it means that you can install firmware from myopenrouter directly onto a supported Netgear router using the router's own Web-based interface. It's certainly possible to install DD-WRT or OpenWRT on a non-Netgear consumer router, but it's generally a giant pain in the ass and a good way to potentially brick your router. "

In The Router rumble:
Ars DIY build faces better tests, tougher competition (Sept. 2016) Jim Salter wanted to test the x86 build of DD-WRT, but found that it hasn't had a stable release for 8 years, the last stable version wouldn't boot and the newest beta was mind-blowingly awful, both in terms of performance and
bugs. He also tested DD-WRT on a Netgear Nighthawk X6 where someone named Kong curates the builds. The Kong builds were good, the raw beta
builds were buggy as heck. The Kong builds also install easily and safely and did well in performance tests. But, Salter notes "you're depending on some semi-anonymous person named after a movie gorilla to keep up with vulnerabilities, comb the bugs out of your firmware, and resist the urge to sell you out to the NSA."

How to Choose the Best Firmware to
Supercharge Your Wi-Fi Router offers an overview of available firmwares. By Alan Henry April 1, 2015. There are two approaches to using alternate firmware: install it yourself or buy a router with it pre-installed. The article notes that Buffalo sells routers with DD-WRT pre-installed. So to, some VPN providers
sell routers with open firmware and client software for their VPN.

Note however, the title of the article above, it refers to supercharging a router, not making it more secure.
Craig Young of Tripwire, an expert on the subject, said in April 2015:
"... alternative open firmware ... is not necessarily ... any more secure or even more frequently updated than commercial router firmware. Back in 2012 I submitted a report to DD-WRT while testing a D-Link device running DD-WRT v24-sp2. The bug report is still open 2.5 years later. The advantages for an advanced user include the ability to have enterprise style features on consumer hardware as well as to fix bugs for themselves, remove unwanted services, and truly lock down the router. For the non-technical user however the benefits are far more limited and the difficulty to configure the system is far greater."

In a December 2012 article at SmallNetBuilder, ASUSWRT-Merlin
Reviewed, Scott DeLeeuw wrote: "The dirty little secret of alternative firmware is that the open source drivers it must use aren't always the best. This is particularly true of wireless drivers, where chip manufacturers work closely with their customers to squash bugs and tweak performance ... DD-WRT and Tomato add a wealth of features, they usually introduce problems of their own along with potentially lower performance." For ASUS routers, he much preferred ASUSWRT-Merlin firmware by Eric Sauvageau.

Tomato was replacement firmware for the Linksys WRT54G/GL/GS, Buffalo WHR-G54S/WHR-HP-G54 and other
Broadcom-based routers. The last release was in June 2010. See WikiPedia.

InvizBox, based in Dublin, Ireland, offers two routers, the InvizBox 2 and the InvizBox Go. Each comes in two flavors and is sold with a year or two of VPN service from IP Vanish. Documentation from the company is very simplistic and, to a techie, useless. They promise all good stuff without any details on what it actuall does. They wrote an undated blog about competitor Keezel.

First generation: called InvizBox has been discontinued. It supported Tor rather than a VPN. It was based on OpenWRT and was first released in March 2015. It used Ethernet for Internet access and had a second Ethernet port. It was reviewed by Daniel Aleksandersen in Feb. 2016: InvizBox review: Tor anonymity in a box (last updated Sept. 2017). It was open source.
In March 2015 it cost $39. In Jan. 2016, it was $49 or $99 with a year of VPN service. On April 19, 2016, it was $139 with 12 months of VPN service from an unknown provider. On Aug. 14, 2016 it was $109 with a year of still-mystery VPN service. In Jan. 2016 it was expected to ship Feb. 2016. On April 19, 2016, it was to ship in April 2016. On May 8, 2016 it was expected to ship in May 2016. On Aug. 14, 2016 it was expected to ship in early July 2016. On Sept 16, 2017 it sold for $49 with just Tor. By March 2018, it was gone.

Second generation: The InvizBox Go is a portable VPN router that also features ad blocking, can act as a Wi-Fi extender and a power bank. It does not seem to do Ethernet. The website says it also supports Tor. On Sept 16, 2017 it cost $139 with one year of VPN service. On March 24, 2018 it cost $160 wit one year of VPN service from IP Vanish or $200 with two years, or $120 with 2 months. It was on Kickstarter.

There was a Kickstarter for the third generation, called
InvizBox 2 that was to end Oct 17, 2017 with estimated delivery of April 2018. It gets plugged into an existing router via Ethernet. Setup instructions for the InvizBox 2 make no sense: "Connect it to your home router and that’s it. The setup is complete. Simply connect your laptop, phone, smart TV or any other device over WiFi or wired connection. All of your Internet traffic is now encrypted, ensuring your privacy and security." Not sure if it does Tor. On March 23, 2018 the regular model was $150 and the Pro version was $220. The difference was not clear to me. Both prices include 1 year of VPN service.

April 2016: There are now four models of Anonabox. The high end model is the Anonabox Pro and it sells for $100 on Amazon. It uses 2.4GHz Wi-Fi for both input
and output (5GHz is not supported). It also has a WAN Ethernet port and a single LAN Ethernet port. It runs, or is based, on OpenWRT (not clear). It can be
powered from a USB port, its not clear if it has an internal battery. The included VPN service is HideMyAss which has been shown, multiple times, to do logging. Review:
Hands-on: Go
(almost) anonymous on the Internet with Anonabox by Roger A. Grimes April 19, 2016. The initial setup described here is very insecure, which is troubling for a
device selling security. In addition to being a TOR client, you can also set yourself up as a TOR exit node or even run your own .onion website.
Review: Anonabox Pro Tor And VPN Router Review by Josh Norem. April 29, 2016. He tested the top of the line Pro model. "...all of the issues we've seen brought up in other reviews have been fixed or addressed in the most current form of the Anonabox." The VPN service is free for 30 days. Can use it as a secondary router by plugging an ethernet cable into a LAN port on your router and the WAN port on the Anonabox. Then, use the LAN port on Anonabox for a computer. Anonabox also does WiFi N. The instructions may not be completely clear to users with minimal networking experience. Local administration is HTTP. A single click connects to TOR. User interface is for techies. Tech support is good.

The Tiny Hardware Firewall was endorsed by Leo Laporte,
a.k.a. The Tech Guy. There are three models, sold by the vendor for $30 or $35. The smallest model has no Ethernet ports (its too small), the other two models have an Ethernet WAN port and an Ethernet LAN port. A big limitation is that it works with only one VPN provider, HotSpotVPN. Purchases come with one year of VPN service. Expect to pay about $91 for the second year of service. Laporte warns that it can take 5 minutes to boot up. He also claims that it can engage both the VPN and TOR at the same time. These are low end devices, Ethernet is 100Mbps, WiFi is G and N.

When most consumers encounter a VPN router, they are dealing with a router that can function as a VPN server. Much more interesting, to me, are the very few routers that can function as VPN clients. That is, the software necessary to connect to a VPN server, is built into the firmware. Very few routers, running the software they shipped with, can function as a VPN client. However, alternate firmware, such as DD-WRT and Tomato, do include VPN client software. Complicating things, however, are the multiple types of VPN. The most popular seem to be OpenVPN, L2TP/IPsec and PPTP with PPTP being the worst option as it is the least secure. HowToGeek wrote about this in
July 2015.

On the low end is the GL.iNet GL-AR750 router that comes with OpenWRT and an OpenVPN client. It is sold as a travel router and its pretty small. It is dual band, with three 100Mbps Ethernet ports, a USB 2.0 port and a MicroSD slot. It is powered by Micro USB and can run off the USB port of a computer. An Amazon user felt the hardware was not powerful enough to run a VPN through it with reasonable speed. It has a WISP mode, which seems to be analogous to what Peplink calls Wi-Fi as WAN. Simply put, it can use a Wi-Fi network as its Internet connection and still provide a Wi-Fi network for your devices to use. See the User Guide from June or Nov. 2017.
In April 2018, Amazon was selling it for $45.

Both Synology routers can function as VPN clients for PPTP, OpenVPN and L2TP/IPsec. You would never know it from this miserable documentation that only mentions a VPN client for WebVPN, Synology SSL VPN, and SSTP. The writeup is not even clear if that's referring to the router being the server or the client. But, vendor specs for the RT1900ac say it can function as as a VPN client for PPTP, OpenVPN and L2TP/IPSec. A Feb. 2016 review by Lester Chan reported that it worked fine with VyprVPN.

FlashRouters.com sells many standard consumer routers that have been flashed to run either DD-WRT or Tomato. You pay a premium for this service. They have documentation on configuring their routers to work with many VPN providers such as HideMyAss, IPVanish, PureVPN, VyprVPN and PrivateInternetAccess and the offer "3 months of basic Internet and VPN setup support from our knowledgeable staff" for free. They support all of three popular types of VPNs and non-techies can provide their VPN provider username and password and the router should be ready to use out of the box.

RouterSource.com is much like FlashRouters in that they offer consumer routers flashed to run DD-WRT. In addition, they offer
their own router firmware called SABAI OS which was derived from Tomato. They claim SABAI is simple enough for non-techies (I have never used it). Both of their firmwares support PPTP and OpenVPN, they do not seem to support L2TP/IPsec. Their free tech support is for one year. They have a working relationship with 15 VPN providers and 11 others are known to be compatible with their routers.

ThinkPenguin sells TPE-R1100 Wireless-N Mini VPN Router for $49 as of July 2016. It has a single LAN side Ethernet port and the Wi-Fi tops out at N. It runs LibreCMC which is based on the Linux-libre kernel and a stripped down version of OpenWRT without the non-free bits.

Easy VPN Router sells two TP-Link routers flashed with OpenWRT and configured to work with Private Internet Access. As of April 2017, the TP-Link N300 is $60 and the TP-Link AC1750 is $150. Plans are to support another VPN provider in the future.

The OVPNbox is a VPN router from VPN provider OVPN.se. It is based on pfSense, runs FreeBSD and has a single LAN port. As of April 2017, they only ship to Europe.

ExpressVPN offers tutorials on configuring their VPN service to work with many routers such as: Asus
OpenVPN, D-Link L2TP, FlashRouters DD-WRT, FlashRouters Tomato, DD-WRT OpenVPN, Tomato OpenVPN, Sabai OpenVPN and more. They also offer their own routers and an app that can be installed on some routers.
A Oct. 2016 review of a Linksys router with ExpressVPN pre-installed
noted that you can disable the VPN per device but individual devices cannot use different servers.

A word of warning about running Tor on a router from Matt Casperson: "Tor is only as secure as those applications whose data it is transferring, and one of the benefits of the Tor bundle is a browser that has disabled a number of plugins that are known to leak identifiable information."

The PogoPlug Safeplug is also a TOR router. Consumer Reports liked it, but a more trustworthy source (which I have lost track of) said the security it uses stinks.

The Cloak router was to be a cheap router with two networks: one that is normal and one that sends all traffic through the TOR network. It will run a modified version of OpenWrt. This could be a great solution, but the website (as of May 26, 2015) says nothing about whether it is now available or when it may become available. Update Oct 22, 2015: the website has not been updated in months, it seems the project has been abandoned.

The Portal router is hard to classify. Its main claim to fame is improved use of the 5GHz frequency band. By adding new hardware and software, the router will offer additional channels in the 5GHz band, which should come in very handy in areas with many Wi-Fi networks. I mention it here because this new device was also touted as having some interesting security features: intrusion detection (not explained anywhere yet), 2 factor authentication for the web GUI, and a new take on Guest network security. Later documentation on the security is incomprehensible to me:
-- Portal combines the security and privacy capabilities of iOS or Android devices with those of WiFi
-- Portal protects your family’s privacy with things like continual intrusion detection, geo-fencing and ID obfuscation
-- Cloud-based authentication provides Portal users with improved security, including dynamic, adaptive guest virtual access.
-- It creates virtual networks for individual guest users
Too soon to tell if this is miserable documentation or if they are selling snake oil. As of Oct 14, 2016, the page on their website that is supposed to explain how it works is non-existent. The firmware for this router is very new, from their website it seems that the
ability to create a Guest Network was rolled out Oct 1, 2016. The firmware is based on OpenWRT and setup is done via a mobile app and bluetooth. Any early review appears to be a press release in disguise. It says the router is pretty and that it creates a mesh network, despite being a single device. Now thats a trick! Photos show that the LAN ports don't have LED lights, which I take as a bad sign. The antennas are internal (to make it pretty). It was expected to ship in late summer 2016 but actually shipped in early Oct. 2016. As of Oct 14, 2016, it cost $200 at the only available outlet, Amazon.com, which said it usually ships in 1 to 2 months. portalwifi.com

Most of the press around Luma has to do with its mesh network, but, the company is also touting security. They claim to constantly monitor "for viruses that try to infiltrate your network". Another
security claim is: "Luma alerts on unknown devices that attempt to join your network and can be configured to block them". No details however are provided. It should also have parental control that can monitor network devices in "real time" and set per-user Internet use limits and content level policies. Finally, it claims to: "identify if there are devices onyour network with weak passwords and can alert you if it detects that a computer is infected with malicious software". We'll see. There is no web interface, just a smartphone app (iOS, Android). As of March 13, 2016 it was scheduled to ship in Spring 2016. It actually shipped around July 2016. As of Aug. 2016 a set of three is $350 and a single one is $150. The SNB review at the end of July 2016 said the price for a three-pack was $400. Early reviews say its not fully baked. When doing initial setup from a smartphone app, they require location services to be enabled on the phone. Not good. If the router is off-line
it can not be configured. As of late July 2016 the router does not report its own firmware release number. WPS is not supported. The only supported WiFi encryption is WPA2-AES PSK.

NetSequre (formerly Genie) is a router from Open Netware focused on security. For example, it creates two WiFi networks, one for adults and one for children. It also offers phishing and malware site protection, Online Child Safety, ad blocking and anti-tracking. And, it self-updates. Initially, it was a single WiFi N router sold in India. Now, the firmware is available for over 200 routers including models from TP-Link, D-Link, Netgear, Linksys, Belkin, Asus and more. There are two versions, one for low end hardware with fewer features and one for faster hardware with more features. Downloading and installing the firmware is free. The yearly cost of ownership is $18/year and $23/year with a free trial of 3 months.

A number of security devices are planned. Some are routers, others sit between your router and modem and yet others can plug into a router. These upcoming security devices are getting some press attention. See These Devices Are Trying To Secure The Internet of (Hackable) Things by Lorenzo Franceschi-Biccheirai (Jan. 8, 2016 at Motherboard). This list is in no particular sequence.

The Avira SafeThings is router firmware "which vendors can integrate into their products or that consumers can purchase as a complete offering from us directly." Its chock full of sexy buzzwords, Avira calls it " an ecosystem: a platform as a service solution installed on the router, an AI-driven behavioral threat intelligence cloud platform, together with a user interface that enables users easily know what is going on within their home network ... a disruptive technology in an exceptionally easy-to-use package to secure the smart home." It will automatically discover and profile connected smart home devices and identify normal behavior for each device so that it can flag anomalies. It does cloud too which means it phones home with info about your network. A router with it is scheduled to be released later in 2018 and Avira is trying to get ISPs to pre-install it. We have already seen McAfee and Trend Micro embed security software in routers. See Avira SafeThingsTM WiFi Router will provide comprehensive protection for smart homes against cyber threats by Avira February 22, 2018.

A device called Dojo plugs into your router and watches your network for security
issues. There is a companion smartphone app, of course. Dojo is a rock/pebble looking thing that glows different colors to indicate current status. Pre-orders started Nov. 2015 for $99 with a year of service. The estimated price then was $199 with a year of service. The first devices were expected in March 2016. As of May 8, 2016 there was no expected ship date. In August 2016, Dojo Labs was purchased by BullGuard.
On Oct 15, 2016, Amazon.com said it was unavailable. By May 2017, that page had disappeared, replaced with this one. In January 2017 it was
reported that Dojo would be available in the US in mid-April 2017.
On May 31, 2017 Wired did a puff piece about it saying it went on sale that day for $200 (including the first year of service). Amazon, however, said it ships in 1 to 2 months. The ongoing charge, after the first year, will be $99/year. On June 1, 2017, TechCrunch wrote:"All traffic on a home network has to be routed via the Dojo for it to be able to see what's going on ... and perform its anomaly detection function ... You'll also need to be comfortable providing a third party company with data stream visibility of your home network."

OLD: The Flter router plans on offering Tor, its own VPN service and VPN client software for use with any VPN provider. It is a
Kickstarter project that was launched in February 2017 and is expected to be released in June 2017. It will also block malicious ads. Its VPN client wil support OpenVPN, OpenConnect and L2TP/IPsec. Fltr is a 4-person company founded in 2015. This has been replaced by Beam, see below.

Beam is a second generation secure router from the Brooklyn, New York company that started with Flter (above). The company is now (June 2018) called Passel and has 5 employees. They also have their own VPN service called Forcefield. Beam is an IndieGoGo project set to expire June 30, 2018. As of a week beforehand, they had raised $256,000. Their goal was only $30,000. Beam is a VPN client router using, by default, their own Forcefield VPN. It should work with other VPN services too. Their VPN service can be used on your devices when traveling. The Beam router supports VLANs, access point isolation, MAC address spoofing and it can force all devices to use its configured DNS servers. You can let some devices bypass the VPN in the router. It will also offer Tor and they say it will self-update. Beam will scan your network for vulnerabilities and alert you on how to fix them. It shares intrusion attempts with other Beam routers. It can block IP addresses and even block entire countries. It also blocks ads and lets you disable IPV6. As of June 2018, estimated delivery is October 2018. See also Beam: An Advanced Home Router with Security and Privacy Features from Encrypt The Planet (June 8, 2018).

Originally expected to ship in Jan. 2017, the Betterspot router was supposed to support Tor and a single VPN provider. It is from a Canadian VPN provider, Betternet. It is designed to be a second router, that is, to plug into a LAN port on an existing router. It will only work with their VPN as it uses a proprietary protocol. The VPN service is $5/month or $30/year. The box is $100. They claim it will self-update. A prototype was reviewed Sept. 19, 2016 by Simon Hill of Digital Trends. It can only be configured with an iOS app, but Android and web interface are planned. Note that the Betternet VPN service was dinged for miserable security in January 2017. See
here,
here,
here and
here. As of early August 2017, it had moved from KickStarter to IndieGoGo and the expected ship date was August
2017. As of March 2018 it is not available, but judging by Amazon.com comments, it was available.

German made eBlocker offers ad blocking and tracker blocking. Quoting their website: "eBlocker is a smart device that anonymizes your online behavior. It blocks all ads, stops all trackers, hides your IP - and lets you surf truly anonymously - on ALL your devices.". It is not clear how they hide your public IP address. They mention TOR in their FAQ, but the description makes no sense to me. Initially it only worked with HTTP websites, now it also supports HTTPS, which may be a bad thing, I could not find a detailed explanation of how they intercept TLS. Rather than putting eBlocker in front of your router, you plug it into a LAN port. This means it must be doing ARP spoofing on your LAN to pretend to be your router. There are two versions of the product, Pro and Family. Pro is the simpler version; the Family version supports parental controls and different users, each with their own profile. This requires each person to logon to the eBlocker using a personal PIN. It self-updates its list of bad stuff daily. It started as a Kickstarter project. In Jan. 2016, the product was estimated to ship in the second quarter of 2016. In Aug. 2016 the Pro version without Wi-Fi was available for $179 and the Family version was $199. Wi-Fi enabled versions of each were expected at the end of Aug. 2016. It came to the U.S. in 2017 and may now only protect Wi-Fi devices (not clear). As of July 2017, the Pro is $219, the Family is $249. After a year, updates are $59/year for Pro, $99/year for Family. You can also download the software for free and install it on a Raspberry Pi or Banana Pi. In Oct. 2018, David Strom said the default menus are in German and you need to know some German to change it to English. He also had trouble getting a new public IP address using it.

ArmorVPN is a Kickstarter project that ends Sept 20, 2017. It is both a VPN and Tor box that sits between a modem and router. There are two Ethernet ports but it is also portable, an internal battery is claimed to last 8 hours. You can buy it without any VPN service, or it has deals with TorGuard and PureVPN. Any OpenVPN VPN provider should be compatible. Some configuration can be done with a touchscreen. It is expected to cost $70 with an estimated ship date of Jan. 2018. The software that runs on this device is planned to be released as open source once a patent is secured on the hardware. See This VPN box makes privacy and security a doddle from Sept 8, 2017.

Keezel is a portable VPN device. The output is a secure WiFi network that your devices talk to. The input is another WiFi network, perhaps
a public one, perhaps your home WiFi. The device makes a VPN connection over the input WiFi network, giving attached devices access to the VPN. There is no Ethernet port but they claim you can use a USB-to-Ethernet adapter. It is powered either by its internal battery or a USB port. Keezel says they use three different VPN providers but they refuse to identify them. They claim their VPN usage is more secure than normal because their mystery VPN providers don't know the identity of Keezel customers. In turn, since Keezel does not run the VPN, they state that they can't spy on their users. Original design was WiFi G, now it also does WiFi N on the 5 GHz band. For $99 you have to use your own VPN. With one year of VPN service, it costs $129, for two years $169. Shipping was initially scheduled for March 2016. As of April 2016, it had been pushed back to June 2016. As of Sept 1, 2016, an article said October 2016 but their website said Sept. 2016. As of Oct 15, 2016, the
estimated ship date on their website was Sept. 2016. I heard nothing about Keezel for two years, then in June 2018, an advertisement disguised as an article showed up on Mashable written by "Team Commerce". This scam article says the thing regularly sells for $600 but is on sale for $450. It includes a lifetime VPN subscription (always a bad idea) to something called Premium VPN. No thanks.

On Aug. 1, 2017, Karma Mobility announced a new product, Karma Black, that they say will provide "anonymous browsing through Tor, an integrated VPN, black listing, and ad blocking." The announcement said nothing else; nothing on pricing or which VPNs it will support. Availability is planned for September 2017.

Fortigis does not exist. It is/was an IndieGoGo project from Yiannis Giokas that did not meet its goal. It is/was an ambitious security device that works alongside an existing router.
It controls and manages who connects to your Wi-Fi network and alerts you when someone is trying to connect. It includes a VPN client, Firewall, Intrusion Prevention System, Antivirus, and Anti-malware. Maybe it has died? There was no activity on their Twitter feed in May and June 2018. For more see Fortigis - Home Network Security Device from April 2018.

NOTE: Itus Networks is gone. || Another company front-ending your router is ITUS Networks. In August 2014 they were planning on releasing a product called iGuardian by Feb. 2015. As of Nov. 2015, there was no more iGuardian. The idea was to run Snort, an Intrusion Prevention System (IPS) on top of OpenWRT. It too, did every good thing in the world, protecting against: viruses, phishing scams, malicious websites, Java, browser, and file exploits. It would also block drive-by-downloads, watering-hole attacks, botnets, data-theft, remote access Trojans, and key-loggers. And, if a computer on the LAN tried to contact a known bad server, that too would be blocked. The product line had 4 devices, as of Nov. 2015, only the WiFi Shield was shipping. There was no date for when the Shield Pro would ship. The Shield Mobile was said to be coming soon. The ITUS Pro was scheduled for release in early 2016.

As explained on the Introduction to Routers page, anyone with a combination modem-router device (typically called a gateway), needs to dumb down the device to merely act as a modem, in order to add their own router. This is often called "bridge mode".

Many devices are sold that claim to add security to an existing network. This section was added Sept. 26, 2017 and is surely incomplete.

The Fingbox does every good thing in the world. Plug it into your router, and get security. Typical marketing. I could not find any technical discussion of what the thing does, just stuff pitched at non techies. Fingbox costs $129 as of Dec. 2017. It first became available in October 2017.
It connects via Ethernet to a LAN port of a router. For it to babysit all the devices connected to the router, it has to be futzing with ARP and making itself the default gateway. If you use VLANs, you need one for each VLAN. Some routers block some features. It collects data about your network activity and sends it to Fing. So, people who want security get more surveillance. See the User Guide version 1.4, Fing app v6.4.x from November 24, 2017. Features: block kids from using the Internet during dinner time, notify you of new devices on your network, block any device from accessing the Internet, it detects any nearby WiFi device, even those not on your network (is Billie home yet?), bandwidth analysis, Wi-Fi signal strength analysis, test Wi-Fi and wired speeds, detect evil twin networks and report on open ports in router (not in LAN side devices). It can detect whether UPnP or NAT-PMP is enabled, and close router ports they may have opened. It was reviewed in Dec. 2017 by Doug Reid for SmallNetBuilder.com. After reading the review it seems to me like it makes sense for a small business, but not for home use. The data collection will give some of us pause.

Perhaps the first such device was the Bitdender box, a home network security appliance. David Strom reviewed it in June 2015: Bitdefender Box Review: Pandora Had Fewer Problems. At the time it cost $199 to purchase and $99/year to own. In August 2017, it was reviewed by Doug Reid at SmallNetBuilder.com. The box has two 100Mbps Ethernet ports and 2.4GHz Wi-Fi and includes a Bitdefender software subscription. However, it only inspects outbound traffic and is hard to install. It needs to be the DHCP server for the LAN and it sets itself as the default gateway, even when working with an existing router.
Outbound connections are checked by the Bitdefender cloud. If a URL is considered malicious, it is blocked and a message appears in the mobile app. The thing also scans
the LAN for devices with security flaws. The box does not detect DoS attacks either incoming or outgoing. At the time, it sold for $130.

Like Dojo, the Cujo also sits between your router and modem (logically or physically) and offers security protection (but no privacy protection). It is billed as a smart firewall. The original plan was for it to offer firewall, anti-malware, antivirus, deep-packet inspection and machine learning protection. Only some of these features were in the first release. Steve Gibson pointed out in July 2016 that it can run in either Gateway mode or Bridge mode. The new mode lets it plug into a LAN port of your router. So, how does it then intercept LAN traffic? It does an ARP spoofing attack on your LAN. Quoting the company "We send packet header data (but not full packets) to our cloud to analyze device behavior, compare your traffic to commercial threat intelligence feeds, and to make sure that unauthorized IP's do not connect to your network." And, this: "CUJO analyzes your local network traffic data locally and in real time. It then sends statistics on that data to the cloud for further analysis ... we don't send the contents of those packets to the cloud. If a threat or suspicious activity is detected, CUJO will tell the cloud what it has blocked so you can receive a notification on your mobile app to confirm it." The pre-order price was $99 and the first models were expected to ship in March 2016. As of April 19, 2016, the expected ship date was end of May 2016. The devices actually shipped in July 2016for $99 with 6 months of service included. Afterwards, service is $9/month. SmallNetBuilder first reviewed it in Sept 2016, then again June 2017. See CUJO Smart Internet Firewall - Second Look by Doug Reid. In the cloud CUJO keeps tracks of bad IP address. It is also aware of normal device behavior.

This press release: Cigent Announces Availability of Recon Sentinel, Allowing Small Office and Home Office Users to Fight Back Against Cyber Attacks (June 11, 2018) is all fluff. Recon Sentinel is a small box that plugs into a router and "automatically finds everything that is connected to your network." Then, the fluff begins: it "adds a layer of detection and defense above and beyond traditional antivirus, antimalware, and firewall solutions ... adds endpoint security that keeps users from losing their data once a breach does occur ... detects and block nefarious behavior ... constantly looking for signs of intrusion or other cybercriminal activities ... uses sophisticated deception technology to identify hacking activity." Its costs $150 for the first year and $100/year thereafter.

In January 2018, Netgear announced a forthcoming security subscription service for their routers called Armor. Basically, it is Bitdefender antivirus running in the router. There is a 90 day free trial, thereafter it will cost $70/year. As of July 31, 2018, it was available for only two Netgear routers, the R7000P and the R6900P. When it will become available for other models is not known. The number of features is long, perhaps too long. My favorite feature is that it dings the router administrator when a new device joins the network and lets the admin block the new device. It also claims to block viruses, spyware, spam, phishing and bad websites. Netgear claims it will scan your LAN and report on connected devices with vulnerabilities and weak passwords. We'll see. The subscription lets you install Bitdefender security software on your Android, iOS, Windows, and Mac devices. Your network can be remotely managed at armor.netgear.com. I have not seen a single review of the service. Note that a similar service from Trend Micro and used inside Asus routers had been found to spy on you.

Owners of the Eero mesh router system can pay an extra $10/month for added security called Eero Plus. They have partnered with a few companies to offer assorted security features. From Zscaler they get a database of threats to protect you from malicious websites with viruses, phishing scams, and more.
It claims to block everything bad: ransomware, malware, viruses and ads. It also watches out for unknown or suspicious domains. It lets you download Malwarebytes on up to 3 devices. It can control what your kids can access. They partnered with the 1Password password manager. Paying for the service gets you VIP tech support from Eero. Finally, it lets you install the encrypt.me VPN (formerly known as Cloak) on your devices (it does not run in the router). Eero Plus costs $99/year the same price as the VPN service by itself (assuming unlimited bandwidth).

Press release: D-Link Wi-Fi Router Powered by McAfee Will Automatically Protect Connected Home Devices January 8, 2018. The D-Link AC2600 router is expected to be released in the second half of 2018 at an unknown price. It will feature security by the McAfee Secure Home Platform that will monitor the network for malicious activity, whatever that means. It will also monitors the network activity of individual devices for threats such as visits to malicious sites. It will notify you when a device on your network does not have antivirus software installed. It will have parental controls that can restrict activities by device, including the types of websites visited and times of day that Internet access is allowed. Parents can monitor their kids' online activities.

Securifi's Almond Routers Get Subscription-based IoT Device Security Service by Ganesh T S at AnandTech Jan 4, 2017. A subscription-based cybersecurity thing for routers that focuses more on traffic rather than viruses. It claims to report on connected devices with ports open to the Internet (nothing new here) and/or weak login credentials. Also claims to analyze the traffic pattern of connected devices to ensure that popular IoT devices are communicating only with their vendors' servers. It should detect devices whose traffic pattern is indicative of being a botnet member. I can also monitor the websites browsed by selected devices (parents watching kids). My favorite feature: notifications when a new device joins your network. An issue with all these systems is data leakage and the article says: "It must be noted that some of the above captured data is stored in Securifi's servers because they need to send push notifications to the user's smartphone even if it is away from the primary network." After a free trial, price will be from $4 to $10/month.

Millions of Routers are about to Get a Lot More Secure a Press Release. May 9, 2018. Many IoT devices lack basic security and privacy protection capabilities. F-Secure is trying to secure them by offering its F-Secure SENSE product directly to router makers and operators as software. They call it their Connected Home Security solution. It is said to integrate network and cloud security, router security and endpoint protection into a single experience for end users.

Minum, in their own words, "is an IoT platform that enables and secures a better connected home." They will offer an add-on to router firmware that they hope to get ISPs and router vendors to incorporate. Quoting again: "Minim’s self-learning platform employs Quantum Fingerprinting and behavioral models to detect threats before they become problems." They are also partnering with IoT device manufacturers.

These routers are marketed as being secure, I have not tried any of them (other than Turris).

The Turris Omnia may have been the first router sold for its security features. It is fully open source, both the hardware and software. The OS is based on OpenWRT. It is from CZ.NIC, a non-profit organization that runs the .CZ top level domain of the Czech Republic. I was lent one inJune 2018 and my notes about it are here.

F-Secure is working on a product called SENSE but their website explanation of what the product does is poor.
It does every good thing you could imagine, curing Cancer and world peace included. Eventually, they called it a secure router and app. In fairness, here is their lead: "Secure your smart home with one device, now and in the future. Sense creates a secure network for all of your connected devices to monitor and protect them through one simple interface. With privacy and security both at home and on the go, you have the freedom to unleash your smart lifestyle." Beats me what the product does. Here's more: "Sense creates a secured Wi-Fi network in your home. Traffic in the network is analyzed by Sense with the help of F-Secure security cloud, where threat definitions are updated in real time. The cloud leverages next generation security features such as machine learning and behavior based threat analysis to give you corporate-level security in your own home, and block attacks before they even happen. Sense also blocks unwanted tracking attempts ..." My concern is that like the Trend Micro software in Asus router, could F-Secure be reading your emails as part of checking things for viruses? Eventually they got clearer: "F-Secure SENSE is the combination of a smart security router, an advanced security app and industry-leading cloud protection." There is no web interface and no system that depends on a mobile app can ever be really secure, in my opinion. Sense does not include a VPN or Tor but they plan to integrate their VPN service in the future. As of Aug. 2017 it does not support a Guest network, but that is planned. Considering the security offered by a Guest network, it makes me question their competence. It includes software for Windows and Macs. See the Quick Guide PDF, their Twitter account and their firmware release history.
As of Nov. 2015 they were taking pre-orders with an estimated ship date of Spring 2016.
As of Oct 2016, they were still taking pre-orders for 200 Euros, which includes a one-year subscription but there was no estimated ship date.
As of May 2017 it was available in Denmark, Finland, France, Germany,
Ireland, Netherlands, Norway, Sweden and United Kingdom.
As of July 2017, it was available in the US for $199 which includes the first year of an ongoing subscription that will cost $119 after the first year. The router is said to be usable without the subscription.
As of Sept. 2018 it is still $199 and there is free shippingYour Questions On F-Secure SENSE, Answered Videos from F-Secure. No author, undated. Reddit AMA August 2017F-Secure Sense Review by Brian Nadel of Toms Guide Nov 1, 2017. No WPS but support is planned. Ugh. Each Wi-Fi frequency band is required to have a different SSID. Ugh. Does not support static IP addresses. Ugh. No parental controls. Windows software includes a firewall. During initial setup, you "can opt out of having local data about usage sent to F-Secure." F-Secure provides 24/7 phone support.

Gryphon is a 17-employee startup in San Diego working on "Safe, Secured, and Fast WiFi for Whole House". When they say security, they mostly mean parental controls but it also does Intrusion Detection via machine learning and Whole House Malware Protection. They claim to block DDoS attacks and monitor IoT devices for unusual network traffic. It should prevent user from clicking on websites with malware and claimed to scan network traffic with antivirus tools. Its mesh too. There are 72 reviews at Amazon. One points out that you have to register for an account with the company, which is never great for privacy. At least initially, it only offered two SSIDs.
HISTORY: They have been on IndieGoGo, Kickstarter and Backerkit. Bloomberg wrote about them in Nov. 2016.
Shipping was initially planned for June 2017. In August 2017, shipping was expected in October 2017. In Feb. 2018 they claimed to have "received the first production batch of Gryphons last week and are in the process of shipping them."
PRICING: As of Feb. 2018 pricing at Backerkit was $250 for a single unit and $450 for a pair while pricing at their website was $200 for a single device and $350 for a pair. In Sept. 2018, it cost $240 at Amazon where it was not offered as a pair.
Parental controls are free forever but network protection is only free for first year. Then, if you want it, it will cost $100/year.
REVIEW: by James Brains of Business Insider sometime in Sept. 2018. The author admitted to not being techie enough to evaluate the security of the router. So, why does the company give him a router to review? Could they be afraid of a technical examination? Company launched in 2014. He found the parental controls to be "tedious". Its fast. Installation was a pain.

Bit Defender Box 2 - A May 2018 review in Mashable says that it monitors Internet traffic and provides security alerts but that it does not have a Guest network. It introduces a new hassle, router user profiles. Security features cost $99 a year but it comes with one year of service for $200. It has only one Ethernet port and the website uses a DV certificate which is a bad look for a company selling a security appliance.

People buy an Eero router mesh system for the Wi-Fi, but in a May 2018 blog post, eero is designed to keep your network safe & secure they brag about the security of their routers. Of course, they point out that eeros can self-update. Fair enough, even though this is not unique to eero. They also point out that they "validate the security of our software" which seems a bit vague to me. They prevent a counterfeit eero product from connecting to your network (a problem I have never run into) and note that "software updates are only distributed from the eero cloud, and updates are checked for authenticity before installing" which is great indeed. Finally, they say that, when needed, they can issue rapid security updates but they don't give an example of having done so.

The pcWRT router is sold for Parental Controls rather than security. For $129 you get dual band AC Wifi with GB Ethernet. For $99 you get only Wi-Fi N. The website says nothing about who created the router. There is an online demo. The pcWRT Parental Control Router User's Guide is only 5 pages.